Secure locate with ecryptfs, part 2

A few months ago, I hacked up a solution for secure locate and ecryptfs. Ian D. Allen suggested a better method, using a private per-user locate database rather than mucking with the system one. I’ve taken his suggestion.

This guide assumes you have already encrypted your home directory with ecryptfs.

Since Ubuntu lucid, locate excludes files in ecryptfs filesystems, although it still indexes the encrypted filenames (which is pretty useless). Edit /etc/updatedb.conf, add the ecryptfs paths to PRUNEPATHS, and ensure that PRUNEFS includes ecryptfs.

sudo vi /etc/updatedb.conf

Mine looks like this:

PRUNEPATHS="/tmp /var/spool /media /home/.ecryptfs /home/*/.Private"
PRUNEFS="NFS nfs nfs4 rpc_pipefs afs binfmt_misc proc smbfs autofs iso9660 ncpfs coda devpts ftpfs devfs mfs shfs sysfs cifs lustre_lite tmpfs usbfs udf fuse.glusterfs fuse.sshfs ecryptfs fusesmb devtmpfs"

Force locate to update, or wait for the next (daily) run.

sudo updatedb

Now, we need to create our local user updatedb script and locate database.

mkdir ~/.mlocate

Download my updatedb script, and uncompress it to ~/.mlocate/.

cd ~/.mlocate
wget http://www.tolaris.com/blog/wp-content/uploads/2011/02/updatedb.gz
gunzip updatedb.gz
chmod 700 updatedb

This is a modified copy of /etc/cron.daily/updatedb. It indexes only $HOME, and stores the resulting database in ~/.mlocate/. Like the system cron updatedb script, my script won’t run when on battery power, and it uses ionice to minimise impact on the user.

Now, edit your user crontab and add a line to run this script.

crontab -e

The following line runs hourly, and doesn’t run when my home directory is encrypted.

# m h  dom mon dow   command
47 * * * * [ -x $HOME/.mlocate/updatedb ] && $HOME/.mlocate/updatedb 2> /dev/null

Force the new script to run, or wait an hour.

$HOME/.mlocate/updatedb

Finally, add the new database to the LOCATE_PATH environment variable. This specifies additional locate databases to search, so you’ll still have access to the system locate. Put the following line in .bashrc or anywhere that your shell will source.

export LOCATE_PATH="$HOME/.mlocate/mlocate.db"

You now have a personal locate database securely stored in your encrypted home directory.

Tags:

  1. Ray Lee’s avatar

    Thanks for this! I’m using a variant on the above to index my sometimes available home NAS right now.

    One question: I’m not the greatest bash scripter in the world so may be missing something obvious somewhere, but how does the lockfile get removed after updatedb finishes?

    Also, having a guard to check for stale lockfiles might be useful `[ 1 -eq $(find $LOCKFILE -cmin +1440 | wc -l) ] && echo assuming stale lockfile && rm -f $LOCKFILE` or somesuch.

    Reply

    1. Ray Lee’s avatar

      Oh, duh, the trap. Nevermind.

      Reply

      1. Tyler Wagner’s avatar

        It’s good to consider that possibility anyway (stale lockfiles), but so far I’ve not had a problem with one. Also, this script is just a modification of the Debian/Ubuntu mlocate one. If it works for the system …

        Reply

      2. John’s avatar

        Thanks. This was very helpful.

        Reply

      3. Western Australia’s avatar

        you are actually a good webmaster. The web site
        loading pace is amazing. It sort of feels that
        you are doing any distinctive trick. Also, The contents
        are masterpiece. you have performed a fantastic process
        in this topic!

        Reply

      4. Mak’s avatar

        I’m getting :

        mak@MakLap:~/.mlocate$ locate new.txt
        /home/mak/Desktop/new.txt
        /home/mak/.mlocate/mlocate.db: No such file or directory

        After following the instructions to the letter; where does the mlocate.db file get created?

        I’ve rebooted, sudo updatedb , ran the steps again but even though the file I used as an example does show up where before it did not, I’m getting that appended error

        Reply

Reply to Ray Lee Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.